WordPress still suffers from the reputation of being not secure. We state There are no unsecure WordPress sites, only poorly upkept WordPress sites. Here is a list of ways to improve the security of your WordPress site – starting from regular updates which we naturally handle without any extra cost.
1. Keep WordPress up to date
Make sure that you always have the latest version of WordPress installed. You can check that you are using the latest WordPress software version at Dashboard > Updates.
Also, make sure that all your plugins and themes are using the latest versions, and especially avoid using plugins and themes that are not actively updated. Plugins and themes that aren’t up to date and contain vulnerable code are often easy ways for attackers to access your site.
An easy way to keep WordPress up to date is to use automatic updates. In addition to the core update , you can get WordPress to handle plugin and theme updates by adding the following rows to the wp-config.php file.
define('WP_AUTO_UPDATE_CORE', true); add_filter( 'auto_update_plugin', '__return_true' ); add_filter( 'auto_update_theme', '__return_true' );
However, automatic updates will not always work as they should – something on the site can break because of one. At Seravo, we have solved this problem by always automatically testing updates before they can be seen on the actual site. Our customers don’t have to worry about updates at all, because we always keep the WordPress core and plugins up-to-date . Read more about WordPress and plugin updates at Seravo.
2. Remember good password hygiene
Password hygiene is just as important to remember as washing your hands during the flu season. Don’t use short passwords that are easy to guess. Also, avoid creating usernames that can be easily guessed such as admin ori <site name>.
3. Back your site up
Make sure that your service provider makes daily backups for at least 30 days, both of your site’s files and the database. In the event of a possible attack or fault it’s important that you have access to up-to-date backups of your site.
- How long are the backups stored?
- Are the backups in a different physical location to the site?
- How easy is it to restore the site backups?
At Seravo, the site database and files are backed up daily and the copies are stored for 30 days. At any time, the site can be restored to an earlier state, for instance, after an information security breach or a human error made by the user. At Seravo, security is a standard feature.
4. Disallow the file editor
The WordPress file editor enables the user to directly edit PHP files on the server. This is often the easiest way for an attacker to add harmful code to the site. In most cases, the file editor is also completely useless for the user.
You can disallow the file editor by adding the following row to your wp-config.php file.
5. Remove error display
To facilitate WordPress development, it’s possible to use error report mode where PHP lever errors are displayed on the site when something in the code goes wrong.
These error messages may include information that accidentally helps the attacker to find vulnerabilities and other sensitive information about your site or server environment.
Error message display can be disabled by adding the following rows to the wp-config.php file:
define('WP_DEBUG', false); define('WP_DEBUG_DISPLAY', false); define('SCRIPT_DEBUG', false); ini_set('display_errors', 0); ini_set('log_errors', 'On');
6. Choose a reliable service provider
An information-secure WordPress installation alone is only half the battle. The server that your WordPress site is on should also be secure and up to date. Server software (such as PHP, MySQL and Apache) and the Linux operating system should be updated regularly so that the server cannot be accessed from outside WordPress.
You should also remember that the more inexpensive Shared Hosting service providers, in particular, have several WordPress sites on the same server, which could mean that a security breach on someone else’s WordPress site could also lead to a breach on your site.
A service provider with excellent WordPress skills can better take into account any possible information security risks. Seravo is specialized in WordPress sites, and it can observe system requirements at the server level, in maintenance and in customer service.
Bonus: Use fewer plugins
Always remove unnecessary plugins from your site. Each extra plugin installed may slow your site down, as well as opening up more opportunities for attacker to find vulnerabilities. You might also forget to update the unused plugins, presenting your site with an additional threat.
Sites with a lot of plugins often have more compatibility problems and errors and are more time-consuming to maintain. It’s always a good idea to keep the number of plugins at a minimum to avoid problems and extra work.
If you are not using a plugin, remove it.
Because there is are so many WordPress plugins out there, they include some that cannot be recommended or can even be harmful. We have listed our own recommendations of useful plugins and those that should you should avoid here .
Maintaining information security on your WordPress site is a complex task. Just installing an information security plugin on your site is not enough: achieving a high level of information security requires ongoing work.
At Seravo, a team of server and WordPress experts takes care of your site’s information security, meaning you don’t have to invest time and energy in information security. So if any of the six points above sounded unfamiliar or difficult, you should talk to Seravo: we’ll take care of your site’s information security for you. Have a look at our plans for WordPress maintenance services and contact us!
If you feel that the list is missing an important information security tip regarding WordPress, share that with us in the comments!